PHP Security Breach
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Y! MyWeb
Share:
Sponsors:
I urge all our users to make the following change to viewtopic.php as a matter of urgency. Open viewtopic.php in any text editor. Find the following section of code:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
Current rating: 5.31 by 54 users
| Would you recommend this article to a friend? |
| Not a Chance | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Absolutely |
Related News Stories
(9,487 reads) 07-05-2008
· Fusion Security(15,152 reads) 06-02-2007
· NukeSentinel(tm)2.5.10 Critical Update(13,918 reads) 05-07-2007
· NukeSentinel(tm) 2.5.08 Maintainance Release(15,384 reads) 03-15-2007
· NukeSentinel(tm) 2.5.07 Reissued: Critical Update(13,890 reads) 03-02-2007
· NukeSentinel(tm) 2.5.06: Critical Update(14,640 reads) 01-23-2007
· NukeSentinel(tm) 2.5.05 released(14,666 reads) 12-24-2006
· NukeSentinel 2.5.04 released(14,396 reads) 11-03-2006
· NukeSentinel(tm) 2.5.03 Released(18,235 reads) 10-19-2006
· Php Nuke 8.0 Patched(14,624 reads) 10-01-2006
· ipBan Modification
Please register or sign-in to post comments.